George's Weblog

Proxy arp is a nice feature to have when you're making changes in the network and need things to keep working along the way. It's real easy to use on a Cisco or Juniper router but there are a few caveats when using the feature on pfSense.

To understand what proxy arp does, think of the following situation:

You have a LAN with a network of 10.10.10.0/24.

Elsewhere on the network you have a different network segment, say 10.20.20.0/24. On that segment is a host with the address 10.20.20.100.

You want traffic that used to go to 10.10.10.100 to go to the host at 10.20.20.100 instead. Assume you don't have control over where the traffic is coming from and your only choice is to take the traffic 'as-is' on your network.

The first step in the process is to multihome the server at 10.20.20.100. You want to bring up the IP address 10.10.10.100 on it with a /32 mask (just the one single address). I'm using Centos 7 so I created the file /etc/sysconfig/network-scripts/ifcfg-eth0:1 with the following:

DEVICE=eth0:1
IPADDR=10.10.10.100
NETMASK=255.255.255.255

For some reason I couldn't say PREFIX=32, not sure why. Anyway, you'll then have a multihomed machine. Leave the other interface alone as well as the gateway.

Next step is to put up a /32 route on your next-hop gateway of that host. I'm using pfSense there so I first had to add a gateway for the machine itself so I could add the static route. So I went to System/Routing/Gateways and added a new one with 10.20.20.100 as the gateway address and picking the correct interface. Then to add the static route I went to System/Routing/Static Routes and added a route for 10.10.10.100 to the gateway 10.20.20.100.

I'm running OSPF and have it configured to distribute kernel routes (the kind pfSense creates here) so now I have a route on the network and the address 10.10.10.100 is reachable from everywhere except the the original 10.10.10.0/24 segment. Why? Because the normal behavior for a host on that segment is to send an ARP (who is 10.10.10.100?) on that local segment and wait for a MAC address to be returned. This is where you need the help provided by proxy arp.

A router using proxy arp on a segment notices when there is a smaller route (a /32 perhaps?) elsewhere on the network. When it sees that route, it pretends to be that host and answers the ARP request with it's own MAC. The sending host then uses that MAC as the destination for the Ethernet frame and sends it. The router receives it, strips off the layer 2 header and uses the routing table to decide where to send it.

So the last step in this process is to add a proxy arp address by going to Firewall/Virtual IPs/Add. Choose proxy arp as the type and select the correct network segment. Select 'single address' and then put the address 10.10.10.100/32 there. Save it and you're all set.

Caveats I've found are mostly related to the firewall functions. pfSense likes to make everything stateful. So make sure your paths are symmetrical or you'll find packets getting dropped even if you have an 'allow all' rule in place.